sb-as logo
Story image

Chinese websites targeted in drive-by download attack that drops DDoS bot

27 Feb 2018

Chinese websites have recently been targeted by a drive-by download campaign that dropped a Distributed Denial of Service (DDoS) bot by the name of Avzhan, a malware that has been around since 2010.

The most recent attacks were spotted by Malwarebytes Labs researchers, who say that the bizarre patterns of this particular drive-by download were not advanced, but they did demonstrate the use of several different exploits to distribute malware.

“For years we have cataloged thousands of Chinese websites injected with the same malicious and rudimentary VBScript code. Even to this day, you can find a countless number of sites that have been (or still are) compromised with that pattern, and most of them happen to be hosted in China,” Malwarebytes researcher Jérôme Segura explains.

The researchers spotted the campaign after analysing compromised sites that loaded external content through iframes and scripts.

Some of those sites hosted cryptomining malware, however some redirects lead to a server that hosts several exploits.

Those exploits include three that target vulnerabilities in ActiveX, Flash Player and Internet Explorer.

The ActiveX vulnerability (CVE-2008-2551) is an old vulnerability that affects the C6 Messenger ActiveX control. The malware creator used old malware code and changed the download URL to point to their own malware.

The Flash vulnerability (CVE-2015-5119) is also an older vulnerability that affects all versions of flash up to version 18.0.0.194. Malwarebytes researchers say this code was taken from a proof-of-concept and in this instance, causes instability in the browser which may cause it to crash.

The Internet Explorer vulnerability (CVE-2016-0189), also known as ‘God Mode’, was ‘commented out’, researchers explain.

All vulnerabilities were exploited to drop the Avzhan DDoS bot, which registers itself as a Windows Service.

Although researchers didn’t catch the bot in the act of conducting DDoS attacks, its capability is clearly evident in the code.

The malware has been lurking for several years but researchers say it is anything but sophisticated. It has not really changed – instead only modifications were made to hide the malware better and to add further configuration.

“Although we see the use of several exploits, we cannot call this an exploit kit—not even an amateur one. Indeed, the domain serving the exploits appears to be static and the URIs are always the same,” Segura says.

“Regardless, it does not prevent threat actors from arranging drive-by attacks by copying and pasting various pieces of code they can find here and there. While not very effective, they may still be able to compromise some legacy systems or machines that have not been patched.”

Story image
BlueVoyant acquires Managed Sentinel, builds out Microsoft MSS offerings
“Combining Managed Sentinel’s Azure Sentinel deployment expertise with BlueVoyant’s MDR capabilities will help customers operationalise and maximise Microsoft security technologies."More
Story image
Insider threat report reveals deception in the workforce
Insider threats come from people inside an enterprise, whether they divulge proprietary information with nefarious intentions, or are just careless employees that unwittingly share sensitive data, writes Bitglass product marketing manager Juan Lugo.More
Story image
Microsoft is most imitated brand for phishing attacks in Q3
Popular phishing tactics using the Microsoft brand used email campaigns to steal credentials of Microsoft accounts, luring victims to click on malicious links which redirect them to a fraudulent Microsoft login page. More
Story image
Majority of industrial enterprises face increase cyber threats since COVID-19
Leadership's top cyber security priority was implementing new technology solutions since the onset of the pandemic.More
Link image
Why the threat of ransomware requires quality resources to keep it at bay
With this ransomware prevention kit, learn actionable tactics for IT departments on how to manage backups and enable staff so that ransomware is a managed and controlled risk.More
Story image
Why best-practice threat data management provides confident automation
Understanding an organisation’s threat landscape requires having both the right threat data sources and the proper prioritisation to derive actionable threat intelligence for your organisation. More